cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leszek Gawron <lgaw...@mobilebox.pl>
Subject Re: Continuation manager modes
Date Fri, 10 Dec 2004 14:56:25 GMT
Reinhard Poetz wrote:
> Leszek Gawron wrote:
> 
>> Reinhard Poetz wrote:
>>
>>> Leszek Gawron wrote:
>>>
>>>> Vadim Gritsenko wrote:
>>>>
>>>>> Leszek Gawron wrote:
>>>>>
>>>>>>
>>>>>> Previously we have discussed about three continuations manager 
>>>>>> work modes:
>>>>>>
>>>>>> - standard (current functionality)
>>>>>> - continuations invalidated along with session, still the 
>>>>>> continuation
>>>>>> is reachable from other sessions (or no session at all)
>>>>>> - fully isolated. only the session that created the continuation
can
>>>>>> access it.
>>>
>>>
>>>
>>>
>>> IIUC before you introduced your changes it was possible to reuse 
>>> continuations independently from where they have been created. What's 
>>> the usecase for this so that we still have have to support it?
>>
>>
>> Hmm after 2nd reading of your post I see I did not understand you.
>>
>> There are two orthogonal aspects of continuation visibility:
>> - interpreter aspect: continuation should always be resumed by the same
>>   interpreter that created it. If not you could invoke your continuation
>>   in other sitemap (wrong context, resource not found exceptions,
>>   security problems).
>>   This case has been fixed. Still you can enable the old behaviur
>>   because some users relied on that functionality (although broken).
>>
>> - security aspect:
>>   - OLD MODE: you can make your continuations visible for everyone. One
>>     user creates a continuation and passes the link to another user. The
>>     other one invokes it in a browser - it works. This is just as it has
>>     been from the start.
>>   - NEW MODE: secure continuations.
>>     Above behaviour creates following problems for authenticated web
>>     applications:
>>     * continuation ids might be stored in browser link history or page
>>       cache.
>>     * even though user has logged out and the session has been
>>       invalidated the continuation might still be valid. As long as
>>       resuming continuation does not query data from user session it
>>       will work. This way you can have access to secured part of
>>       application without even logging in.
>>     So the following mode has been introduced:
>>     * continuations are bound to the session.
>>     * You can lookup the continuation only among the ones you have
>>       created yourself. This way even though you "steal" a continuation
>>       id from somewhere it's no use for you.
>>     * When the session gets invalidated all continuations get
>>       invalidated too.
>>
>> Hope that clears the situation.
> 
> 
> Thanks for the summary. The only point I still don't understand is: 
> What's the usecase to resume a continuation in a different sitemap? What 
> did people try to solve this way? (I'm asking because it sounds like a 
> bug and not like a feature that we have to maintain.)
> 
Let's ask the user himself.

-- 
Leszek Gawron                                      lgawron@mobilebox.pl
Project Manager                                    MobileBox sp. z o.o.
+48 (61) 855 06 67                              http://www.mobilebox.pl
mobile: +48 (501) 720 812                       fax: +48 (61) 853 29 65

Mime
View raw message